Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2012
Views
0
Helpful
5
Replies

DNS rewrite not working

Go to solution
ohassairi
Level 5
Level 5

‎02-24-2014 02:07 AM - edited ‎03-11-2019 08:49 PM

hi

i am trying to configure dns rewrite option in my asa 5520 with version 8.2(1) with asadm 6.2(1)     

but i am still getting th epublic ip and not the private IP.

DNS inspection is there. may be a bug.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Swaraj Nambiar
Cisco Employee
Cisco Employee
In response to ohassairi

‎02-26-2014 01:06 AM

That is absolutely correct! This is mentioned in the configuration guide for the ASA -

http://tools.cisco.com/squish/55AC0

The first "note" on this link mentions the following -

DNS rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

-Swaraj

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Swaraj Nambiar
Cisco Employee
Cisco Employee

‎02-24-2014 04:47 AM

Hi,

Could you let me know more about your topology and configuration?

Where is the DNS server and the server (URL which you are trying to resolve) located w.r.t the ASA?

For DNS rewrite to work properly, you must have your DNS server located across the firewall i,e., the DNS request from a machine should cross the firewall and go to another interface and then come back via the same path. This means that DNS inspection won't work if you have both the resolving client and the DNS server in the same network segment. Of course, this is in addition to DNS inspection being configured on the firewall.

As an example, let's consider the following example -

client--inside--ASA--outside--DNS server

Client tries to resolve a URL for a server on the inside network of the ASA.

The DNS query then goes through the ASA and reached the DNS server. The public DNS server on the internet responds with the public IP address of the internal server (this server is local for the client).

The DNS response packet has the public IP address of the server in its payload. The ASA intercepts this response packet to rewrite the IP in the response packet to the private IP address of the server.

The question is how the ASA understands what the private IP address of the server is?

Well, this it understands based on the static NAT configured for the internal server. Hence, it is also required that the NAT be enabled with DNS keyword for rewrite to work.

Please check if your scenario satisfies all these requirements.

0 Helpful

Go to solution
ohassairi
Level 5
Level 5
In response to Swaraj Nambiar

‎02-24-2014 08:20 PM

my server is located in DMZ

my DNS is in outside (ISp DNS)

static nat is configured with dns option

dns inspection is configured

but when i ping my server i still get public IP !!!!!!!!

0 Helpful

Go to solution
Swaraj Nambiar
Cisco Employee
Cisco Employee
In response to ohassairi

‎02-25-2014 06:11 AM

Ok. What about the hosts that you are sourcing the ping from, are they also on the DMZ?

Assuming that the host you are sourcing the ping from is also on the DMZ, let's apply captures on the DMZ interface as below -

host ip x.x.x.x

#cap capi interface DMZ match udp host host eq 53

You can then download the capture in pcap format if you have HTTPS enabled on the ASA's DMZ interface by entering the following URL on a web browser -

https:///capture/capi/pcap

Could you also post the relevant configuration from the device?

Regards,

Swaraj

0 Helpful

Go to solution
ohassairi
Level 5
Level 5
In response to Swaraj Nambiar

‎02-26-2014 12:46 AM

Ummm I found the problem

Imagine you are the firewall and you see a dns reply from public dns server, you open the dns packet and you find one public IP that you must rewrite. You will look to the static NAT statements and you find that this public IP is natted to different private IP depends on TCP ports. So you can' t know which one is the good one. So you will not translate

However if the nat does not depends on the TCP port so dns rewrite is done J

0 Helpful

Go to solution
Swaraj Nambiar
Cisco Employee
Cisco Employee
In response to ohassairi

‎02-26-2014 01:06 AM

That is absolutely correct! This is mentioned in the configuration guide for the ASA -

http://tools.cisco.com/squish/55AC0

The first "note" on this link mentions the following -

DNS rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

-Swaraj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card